Sun Microsystems’ Solaris version of UNIX, which now boasts over 1 million registered users, has a buffer overflow flaw in the printer daemon (CVE designationCAN-2001-0353). This flaw makes the system vulnerable to hackers, who can crash the daemon and run arbitrary code. Sun has confirmed the problem, which was announced by Internet Security Systems on June 19, 2001. Sun also admitted that it had actually known about the problem since April. It claims that it hasn’t had any customer complaints about the problem.
However, now that this vulnerability is out in the open, it needs immediate attention from Solaris administrators since Solaris runs many of the high-end e-commerce systems on the Internet and will predictably become the target of hackers in the near future.
Common Vulnerabilities and Exposures (CVE) is a dictionary of well-known security flaws maintained by The MITRE Corporation. The purpose of CVE is to make certain everyone is using the same terminology when discussing problems and that the same problem isn’t given multiple names.
The printer daemon is a standard part of Solaris, so every version of Solaris (as well as Sun OS, the product name by which Solaris was formerly known) is potentially vulnerable to this buffer overflow attack. However, if the printer functions are blocked from remote access via a firewall, the system will be vulnerable only to inside attacks.
Level of risk
This vulnerability allows someone penetrating the system to gain “root” access and run any arbitrary programs, such as planting a Trojan Horse or a virus.
The printer daemon in.lpd monitors TCP port 515, so a remote or local attacker could crash the daemon with a buffer overflow attack. Remote attackers can make use of this vulnerability only if the system can accept remote printer commands. Again, exploiting this vulnerability would give the attacker root privileges. This printer daemon problem is particularly dangerous because all versions of Solaris are vulnerable to this attack, and the printer daemon is installed by default.
The only good news is that many Solaris systems are configured with the printer functions blocked off from the Internet by the firewall. But this probably won’t prevent internal users from taking advantage of the vulnerability. And, lest you forget, in most organizations the insider threat is actually greater than the threat from outside, particularly in times of increasing layoffs and general downsizing.
Patches have been announced by Sun and even given ID numbers but were not yet available as of the end of June. The patches are:
- Solaris 8.0_x86: 109321-04
- Solaris 8.0: 109320-04
- Solaris 7.0_x86: 107116-08
- Solaris 7.0: 107115-08
- Solaris 2.6_x86: 106236-09
- Solaris 2.6: 106235-09
Check for current availability at http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access. Until a patch is available, you can protect a system by disabling inetd or in.lpd (inetd.conf).
Other Sun problems
A number of root vulnerabilities have recently been discovered in Solaris, including a ypbind daemon vulnerability in SunOS prior to 5.8. See Sun Bulletin #00203 for details and patches.
Another problem is in cb_reset (/opt/SUNWssp/bin/cb_reset). This isn’t part of the standard Solaris install, but if you have the SUNWssp package, there is the risk of a buffer overflow attack. No patch exists for this vulnerability, so you must fix it by removing the SUNWssp or at least the suid bit from cb_reset.
The fourth recent root vulnerability is in ptexec (/opt/SUNWvts/bin/ptexec). Again, this is not part of the standard Solaris installation but is found in the SUNWvts package. With this installed, there is a buffer overflow vulnerability that can be exploited by a local user. No patch is available for this vulnerability either. One workaround is to remove the SUNWvts package or the suid bit from ptexec.
How do you keep your Solaris systems up to date?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.